veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/.github/workflows/lint.yml
claude-veilor-bot 8c55802514
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + sign + push OCI (pull_request) Failing after 0s
Details
Lint / Kickstart syntax (pull_request) Failing after 0s
Details
Lint / Shell scripts (pull_request) Failing after 0s
Details
Lint / No personal/onyx leaks (pull_request) Failing after 0s
Details
ci(bluebuild): pin actions to node20-safe tags 
forgejo-runner v6.4.0 javascript runtime is node20. Pin every
javascript action used in the spike branch's workflows to the last
release that ships node20.

- actions/checkout v4 -> v4.1.7 (3 files)
- softprops/action-gh-release v2 -> v2.0.4 (build-iso)
- anchore/sbom-action v0 -> v0.17.2
- actions/attest-build-provenance v2 -> v2.2.3
- blue-build/github-action@v1 unchanged (TODO: SHA pin)

This is the spike-branch counterpart of the main-branch fix in
feat/runner-fix-docker-sock-and-node20.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 10:50:24 +01:00

67 lines
2 KiB
YAML
Raw Blame History

name: Lint
on:
push:
branches: [main]
pull_request:
jobs:
ksvalidate:
name: Kickstart syntax
runs-on: ubuntu-24.04
container:
image: registry.fedoraproject.org/fedora:43
steps:
# Pinned to last v4 tag confirmed to ship on node20.
- uses: actions/checkout@v4.1.7
- run: dnf -y install pykickstart
- run: ksvalidator kickstart/veilor-os.ks
shellcheck:
name: Shell scripts
runs-on: ubuntu-24.04
steps:
# Pinned to last v4 tag confirmed to ship on node20.
- uses: actions/checkout@v4.1.7
- uses: ludeeus/action-shellcheck@master
with:
severity: warning
ignore_paths: build/cache .github
brand-leak:
name: No personal/onyx leaks
runs-on: ubuntu-24.04
steps:
# Pinned to last v4 tag confirmed to ship on node20.
- uses: actions/checkout@v4.1.7
- name: Grep for leaks
run: |
set -e
# Scope: ship-state source dirs only. Audit reports, CHANGELOG,
# PR templates, test checklists, and the lint workflow itself
# legitimately quote the forbidden strings as findings/examples
# — they don't ship in the ISO, so they're out of scope.
MATCHES=$(grep -rIni \
-e 'onyx' \
-e '192\.168\.0\.' \
-e 'fedora\.local' \
-e 'xynki\.dev' \
kickstart/ overlay/ scripts/ assets/ build/ \
|| true)
# Filter self-referencing sanity-grep lines: the kickstart and
# post-install scripts run their own brand-leak scan against the
# installed /etc — those grep invocations literally contain the
# forbidden strings as patterns, not as leaked data.
LEAKS=$(echo "$MATCHES" | grep -v \
-e "grep .*'onyx" \
-e '# Sanity:' \
-e 'brand leak' \
|| true)
if [[ -n "$LEAKS" ]]; then
echo "::error::Brand leaks detected"
echo "$LEAKS"
exit 1
fi
echo "no leaks ✓"
Reference in a new issue View git blame Copy permalink